Jérôme Mouneyrac
added a comment - 16/Nov/11 4:50 PM - edited Actually it's not really this line but somewhere in the last change ( https://github.com/moodle/moodle/commit/581e8dba387f090d89382115fd850d8b44351526#lib/weblib.php ). Regular expression are not my strenght, Petr can you have a look? Thanks.

is what cause the wrong url. However I suppose it's not the real problem. I detected in the previous version that the $encodedurl had "Xlanguage" when $url had "language".

At least in the last commit, it's consistent ($encodedurl and $url have "Xlanguage"). It seems the issue is anterior and was located in $encodedurl... so the issue is now also in $url. I'm still looking to this, I don't know what this X protection is for so maybe I'm totaly not looking to the right thing...

Jérôme Mouneyrac
added a comment - 17/Nov/11 5:21 PM - edited After a bit more looking the:
$url = str_replace('&amp;', '&', $encodedurl);
is what cause the wrong url. However I suppose it's not the real problem. I detected in the previous version that the $encodedurl had "Xlanguage" when $url had "language".
At least in the last commit, it's consistent ($encodedurl and $url have "Xlanguage"). It seems the issue is anterior and was located in $encodedurl... so the issue is now also in $url. I'm still looking to this, I don't know what this X protection is for so maybe I'm totaly not looking to the right thing...

This is a fix that "revert back" the $url without adding X to language parameter.

So with this fix it behaves like before the last commit:
a) when redirect is straight forward, then nothing is added to parameter named 'language' or 'on'. (maybe this is a security issue?)
b) when redirect is on a page with displayed content then a continue link is displayed. This continue link add X to 'language'/'on' (so this break the registration process but luckily it should never happen).

In conclusion this is a temporary fix that bring back registration process to live. A new issue need to be filled about the X (it seems to be a fix for a security issue, but it breaks all 'language'/'on' redirect parameter.)

Jérôme Mouneyrac
added a comment - 18/Nov/11 8:53 AM This is a fix that "revert back" the $url without adding X to language parameter.
So with this fix it behaves like before the last commit:
a) when redirect is straight forward, then nothing is added to parameter named 'language' or 'on'. (maybe this is a security issue?)
b) when redirect is on a page with displayed content then a continue link is displayed. This continue link add X to 'language'/'on' (so this break the registration process but luckily it should never happen).
In conclusion this is a temporary fix that bring back registration process to live. A new issue need to be filled about the X (it seems to be a fix for a security issue, but it breaks all 'language'/'on' redirect parameter.)

Petr Skoda
added a comment - 18/Nov/11 4:49 PM The proposed str_replace('&', '&', $encodedurl); reordering creates a regression, do not integrate. I do not know how to solve this, the easiest workaround is to not use language= in URLs.